Netgear - Admin Credentials Disclosure & Remote Code Execution (CVE-2020-17409, CVE-2020-27866) (CVE-2020-17409, CVE-2020-27866)

Netgear router is affected by a Credential Disclosure vulnerability, located on the /setup.cgi endpoint. The root cause of this vulnerability consists in insufficient input validation of the HTTP request which allows remote unauthenticated attackers to request the plaintext admin user credentials from the mini_httpd service.

The risk exists that a remote unauthenticated attacker could use the obtained credentials to exploit the CVE-2020-27866 vulnerability which grants the attacker Remote Code Execution capabilities by activating the debug mode that enables the telnet service on port 23. Using the leaked credentials, the attacker can access the target router remotely and obtain privileged unrestricted access. This fully compromises the router and the attacker is able to steal confidential information, install ransomware or pivot to the internal network.

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Consult the advisories provided by Netgear and install the latest non-vulnerable firmware.

https://nvd.nist.gov/vuln/detail/CVE-2020-17409

https://nvd.nist.gov/vuln/detail/CVE-2020-27866

https://kb.netgear.com/000062304/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-PSV-2020-0258

https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers